Questions tagged [dnssec]
Domain Name System Security Extension is a specification for securing certain kinds of information provided by Domain Name System
208
questions
1
vote
0
answers
8
views
Can I add a Trust Anchor for a specific domain?
Some TLDs unfortunately still don't support DNSSEC all the way to the root. However, is it possible to add a specific DNSKEY to my resolver (currently using knot-resolver) so that a signed zone can ...
- 499
0
votes
0
answers
43
views
DNSSEC - Unable to sign the relevant files
I have set up a working DNS server on an Ubuntu 22.04 LTS as part of a single server (DNS, SPF, Email, firewall etc)
IP: 192.168.122.189
Test Domain: jetj.ltd
Hostname:mail
The files I have are:
db....
- 1
1
vote
1
answer
49
views
Understanding RRSIG DNS query
Is the presence of RRSIG highly uncommon? I tried to fetch RRSIG records for many popular domains including trying out different resolver. I didn't get any RRSIG records in the answer section.
dig @1....
- 317
0
votes
2
answers
810
views
Certbot error - DNSSEC: DNSKEY Missing
I moved my domain to Route53 and am now getting problems with Certbot renewal. Certbot has been running great for 4 years, but is now failing to renew.
When running sudo certbot renew --apache i get ...
- 101
0
votes
1
answer
95
views
Why can't I activate DNSSEC for Domains with a gg ccTLD, despite the fact that there are many domains, which have a valid signature?
This is my first question and hope that I'm in the right community. I bought a gg Domain a while ago and wanted, later needed, DNSSEC. After the purchase I encountered the problem, that I can not ...
- 1
0
votes
1
answer
176
views
BIND DNS - DNSSEC on Internal Private Domain
Question regarding DNSSEC.
I have a internal private TLD eg. corp. Underneath that are multiple subdomains eg. region-a.corp, region-b.corp etc. And possibly underneath the regions, there are further ...
- 1
0
votes
1
answer
281
views
opendkim-testkey: key not secure (file permissions are good and TrustAnchorFile config setting is set)
If I run sudo opendkim-testkey -d mydomain.com -s selector -vvv, I get
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'selector._domainkey.mydomain.com'
...
0
votes
0
answers
50
views
How do I know the key sizes of my Bind DNSSEC keys?
I set up DNSSEC on my private domain many years ago and unfortunately forgot all about it. Bind now tells me it's about to deprecate auto-dnssec in favour of dnssec-policy and I need to migrate my ...
0
votes
1
answer
197
views
How do i enable DNSSEC on NameSilo (using DS records form YDNS)
(First of all i am new to domains in general and DNSSEC).
I have tried to enable DNSSEC on NamesSilo for my domain.
I only have the ds records in plane text and don't know wich value has to be ...
- 3
1
vote
1
answer
134
views
BIND auto-dnssec is signing records with ZSK and KSK
I'm doing a rollover of my KSK and ZSK (concurrent with a server transfer) and BIND (version 9.16.23) has started causing problems for me. I have the following keys in my directory:
; Kexample.ca.+007+...
- 940
2
votes
1
answer
151
views
Migrating signed zones between BIND servers
I'm having some troubles migrating a signed DNS zone to a new server. I've copied over the zone files (unsigned, signed, and journal), signing keys, and DS sets. Once in place, BIND is happy to serve ...
- 940
0
votes
1
answer
829
views
Securing DNS: Is combining Unbound with DNSMASQ and DNSCrypt Proxy necessary or beneficial on a Debian 11 system?
I've recently taking an intrest in DNS security and have opted to use the "dnsrypt-proxy", "dnsmasq" and "unbound" packages on my Debian 11 system chained together in the ...
13
votes
2
answers
2k
views
How is my DNSSEC enabled domain still serving a tiny number of NXDOMAIN response codes?
I enabled DNSSEC on my primary domain about a week ago. It's not a major website or anything -- just my personal domain name that I use for email and the like (TLD: com; DNSSEC algorithm 13; ...
- 165
2
votes
1
answer
406
views
Remove RRSIG record from GoDaddy subdomain
I added 4 NS entries for a subdomain for a SalesForce email campaign.
SalesForce has since complained they see an "RRSIG entry for the subdomain" and they "do not support (add to NS) ...
- 143
0
votes
0
answers
290
views
Is it possible to have different internal and public DNS with DNSSEC?
I'm attempting to achieve the following:
A public nameserver for my domain which points example.com to a public IP address.
A private nameserver for the same domain running within a LAN which instead ...
- 481
2
votes
2
answers
2k
views
Configuring BIND9 (ver 9.16) to allow TXT DNS updates from Letsncrypt
Solution to the below problem: Use $ddns-confgen or $tsig-keygen, the former provides you with the syntax to paste into your named.conf file
Problem:
I am trying to configure a BIND9 (ver9.161-Ubuntu) ...
- 29
1
vote
2
answers
1k
views
How Do I Fix My DNSSEC? I never got DNSSEC working and have probably worsened the problems
My attempt to DNSSEC has not been successful.
To help understand DNSSEC I have read many online articles, man pages for rndc, dnssec-*, viewed dnsviz.net and dnssec-analyzer.verisignlabs.com/. Most of ...
- 11
0
votes
1
answer
1k
views
BIND 9.16 dnssec-policy default is not automatically renewing keys
Three months ago I upgraded my DNS servers to BIND 9.16 (currently running 9.16.25) to take advantage of the new dnssec-policy default option which would allow me to easily run DNSSEC for my domains. ...
0
votes
1
answer
148
views
I need an explaination as to what is happening when I change the zone file of a DNSSEC enabled domain
I recently moved our hidden DNS master service to a new host, DNS38. The original master service is still running but is not being polled at the present time.
The old master, and all the ...
- 337
0
votes
1
answer
296
views
When setting up DNSSEC on Bind, which DNSKEY records belong in the zone file?
Should the zone file only contain the KSK's DNSKEY record, or should it contain the ZSK's DNSKEY record as well?
- 116
0
votes
1
answer
677
views
Why does an authoritative name server not DNSSEC-validate its own results?
If I query a name server a record it is authoritative for it seems the answer does not get DNSSEC validated:
$ dig cloudflare.com @ns3.cloudflare.com
; <<>> DiG 9.16.22-Debian <<>...
- 386
0
votes
0
answers
712
views
How do I prevent Bind from retiring non-expiring DNSSEC keys when using DNSSEC Policy?
To control when signatures expire, I've switched to using dnssec-policy to generate DNSSEC records for my zones. This has solved the issue of getting RRSIG records to expire when they should but ...
- 131
0
votes
1
answer
142
views
DNSSEC Migration with only KSKs migrated
Short version: If a DNSSec-signed sone suddenly replace both ZSK (and all records related to the old ZSK), and at the same time keep the KSKs (which are referenced to by upstream server). Will it ...
- 336
1
vote
1
answer
2k
views
How do I extend the expiration date of every DNSSEC signature in bind9?
I have a dnssec-secured domain that needs to remain valid for 8 weeks when all masters become unreachable.
To my understanding, setting sig-validity-interval to 64 7 in the zone's configuration file ...
- 131
0
votes
1
answer
895
views
How to force BIND 9.16 to resign my zones after editing zone file
I'm using BIND 9.16 new dnssec-policy feature on my zones, following the guide to enable DNSSEC. Everything worked like a charm.
Now, I need to add another record to one of my zones, but after editing ...
- 101
0
votes
2
answers
346
views
What happens if a resolver encounters a DNSSEC algorithm it does not support?
Does it refuse to return the requested record, or does it return the record, treating the domain as unsecured?
- 131
2
votes
2
answers
526
views
Is DNSSEC useful?
DNSSEC validate and authenticate zone data with the purposeto make sure that whatever DNS results, those are genuine.
Even if a DNS resolver validates that an authoritative nameserver has send the ...
- 363
0
votes
0
answers
65
views
DNSSEC in Spain
I tried to set up DNSSEC for a .es domain. The nameservers are on Cloudflare and GoDaddy is the registrar. I wasn't able and then a 'GoDaddy Guide' (chat support) told me that DNSSEC would generally ...
- 193
0
votes
0
answers
180
views
Which DS record will a validator choose when there are multiple valid DS records?
If there are multiple DS records with each using a different but RFC-compliant algorithm and digest type, is there any way to predict how real world validators will select one?
I've tried to, for ...
- 3,047
0
votes
1
answer
39
views
Transfer DNSSEC signed zones on GCP
I'm transferring zones between different Google Cloud Platform accounts which have been signed using DNSSEC. I've put the new zone into DNSSEC transfer state but when I try to load the DNSKEY into the ...
google-cloud-platform
8
votes
1
answer
1k
views
SSHFP not working
I have two machines running OpenBSD v6.9.
Let's be original and call them client and server.
I generated the SSHFP records on the server with :
ssh-keygen -r host.domain.tld
In the DNS zone, I added ...
1
vote
0
answers
233
views
Do clients need to validate DNSSEC signatures?
I'm tasked to configure our domain to use DNSSEC. We currently use AWS Route 53 as both our registrar and DNS hosting provider. According to the AWS documentation, Route 53 supports DNSSEC at both of ...
- 113
0
votes
2
answers
823
views
DNSSEC automatic signing isn't automatic
I'm having trouble with getting DNSSEC automatic signing to actually be automatic. It fails to sign automatically (well, it does sign automatically, but apparently signs the wrong thing, see below). ...
- 101
2
votes
1
answer
338
views
DNSSec do you need to renew anything?
I have followed this tutorial to configure DNSsec:
https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2
If you don't modify your zone, do you ever ...
- 21
3
votes
2
answers
9k
views
Bind9: Disable DNSSEC validation on per zone basis?
I am trying to make a caching / forwarding only DNS server using Bind9 with DNSSEC validation being enabled by default.
Assume you have the following informations from my config file:
acl "home-...
0
votes
1
answer
390
views
Does DANE allow for trustable self-signed certificates?
DANE has 4 modes of operation indexed 0-3 with mode 3 i.e. Domain issued certificate allowing for self-signed certificates. Can this mode be used in a trustable manner? and if so does that mean that ...
- 111
0
votes
0
answers
73
views
does manually resigning a changed zone file with the same keys break the DNSSEC support from the upstream parent zone?
I send the ds set of example.company.com to my company.com provider. I also manage a couple of subdomains which are subject to change eventually: subdomain1.example.company.com and subdomain2.example....
- 131
0
votes
1
answer
2k
views
On AWS during DS record creation I get an error, DS record with DNS name ex.com not permitted in zone ex.com. Why might this be?
Environment: AWS, DNSSEC
When I attempt to create a DS record to establish a chain of trust I get an error that I don't understand.
My full error.
Error occurred
Bad request.
(InvalidChangeBatch 400: ...
- 569
1
vote
0
answers
917
views
dig does not show the content of DS, DNSKEY or any DNSSEC related record, SERVFAIL
I want to see the content of records using dig but any RR related to DNSSEC comes up empty. This happens on two laptops of mine. I'm running Ubuntu 18.04. Is there any setting I can fix to stop ...
- 131
2
votes
1
answer
79
views
Webex not using DNSSEC
our government issued a statement that all video/voice online enabling software needs to use DNSSEC for all address translations and all used DNS servers need to support DNSSEC.
I tried few DNSSEC ...
- 31
1
vote
1
answer
1k
views
What are good default settings for DNSSEC?
I use Google Domains and just opened an account with A2 Hosting. I'd like to keep using DNSSEC. A2 Hosting requires me to "Please open a support ticket and provide the following information:
DS ...
- 13
0
votes
0
answers
231
views
Different DNS records on offline local network with valid DNSSEC
This is pretty much DNS spoofing on local network including DNSSEC, but I believe it should be somehow possible since I'm the legitimate owner of the domain.
I'm planning to provide a service during 1-...
- 109
0
votes
0
answers
39
views
My co.za domain name won't propagate
I bought a co.za domain name at Godaddy and changed the A record to point to Justhost. However the domain will not propagate. I checked https://dnschecker.org https://dnschecker.org. It's been over 72 ...
- 1
8
votes
1
answer
9k
views
opendkim-testkey: key not secure
I set up Opendkim milter to work with postfix on my machine. Now email is signed & verified correctly i.e. email source code shows DKIM-Signature header.
TXT record on the authorative dns is set ...
- 373
1
vote
1
answer
142
views
DNSSEC - Google Cloud and Cloudflare - Which DS Record do I give to the Registrar?
I have managed to really confuse myself here with enabling DNSSEC for the first time ever.
I am using Google Cloud compute engine running a WordPress website for hosting. My domain registrar has its ...
- 11
0
votes
1
answer
225
views
DNSSEC - DNS/domain providers that enable DANE DNS records [closed]
Our company registered domain "example.eu" with Gandi which has a "one click solution" to enable the DNSSEC for our domain's zone. So we enabled it, waited until dnsviz inspection ...
- 373
2
votes
1
answer
3k
views
Use of private and public DNS with DNSSEC
My company, 'example.com', has a public host www.example.com. The (legacy Windows managed) internal network has several internal hosts internalhost1.example.com, internalhost2.example.com and so on.
...
- 206
0
votes
1
answer
246
views
DNSSEC can easily be spoofed?
I want to know the purpose of DNSSEC, what problem does it really try to solve? I think DNSSEC can easily be spoofed by inserting a non-DNSSEC DNS server into the network that serves a non-DNSSEC copy ...
- 206
2
votes
1
answer
3k
views
Removing DNSSEC - Can it be done, and how can I?
A little while ago, I deployed DNSSEC because in doing so I reduced the number of security configuration checks I needed to implement on my local domain's DNS. These are Windows Server 2012R2 ...
- 331
2
votes
0
answers
356
views
Setup Knot DNS DNSSEC with automatic key management
I am new to DNS. I am trying to set up public authoratative dns servers for a dot net domain using Knot dns.
Generally the documentation is pretty clear, but when it comes to DNSSEC it is confusing.
...
- 179